[oe] [meta-webserver][kirkstone][PATCH 3/3] netdata: patch CVE-2023-22497

Wed, 04 Mar 2026 03:40:05 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-22497

This patch was selected based on its description, and based on the
associated PR. The description matches the issue described in the
NVD advisory, and the PR credits the same reported that is also
credited with the CVE ID (in the release notes of the application).

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../netdata/netdata/CVE-2023-22497.patch      | 120 ++++++++++++++++++
 .../netdata/netdata_1.34.1.bb                 |   4 +-
 2 files changed, 123 insertions(+), 1 deletion(-)
 create mode 100644 
meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch

diff --git 
a/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch 
b/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch
new file mode 100644
index 0000000000..5aa2fde328
--- /dev/null
+++ b/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch
@@ -0,0 +1,120 @@
+From 1aa77696d0853ab515eddea8ee7a7d16d3813571 Mon Sep 17 00:00:00 2001
+From: Costa Tsaousis <[email protected]>
+Date: Tue, 29 Nov 2022 17:28:17 +0200
+Subject: [PATCH] Strict control of streaming API keys and MACHINE GUIDs in
+ stream.conf (#14063)
+
+do not allow machine guids to be used as API keys
+
+CVE: CVE-2023-22497
+Upstream-Status: Backport 
[https://github.com/netdata/netdata/commit/811028aea2f146cc0ac2bc403f7d692add400d63]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ streaming/rrdpush.c   | 30 ++++++++++++++++++++++++------
+ streaming/stream.conf | 10 ++++++++++
+ 2 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/streaming/rrdpush.c b/streaming/rrdpush.c
+index 8829d1e..0a0d9fc 100644
+--- a/streaming/rrdpush.c
++++ b/streaming/rrdpush.c
+@@ -594,21 +594,30 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, 
char *url) {
+ 
+     if(regenerate_guid(key, buf) == -1) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && 
*key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && 
*hostname)?hostname:"-", "ACCESS DENIED - INVALID KEY");
++        log_stream_connection(w->client_ip, w->client_port, key, 
machine_guid, hostname, "ACCESS DENIED - INVALID KEY");
+         error("STREAM [receive from [%s]:%s]: API key '%s' is not valid GUID 
(use the command uuidgen to generate one). Forbidding access.", w->client_ip, 
w->client_port, key);
+         return rrdpush_receiver_permission_denied(w);
+     }
+ 
+     if(regenerate_guid(machine_guid, buf) == -1) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && 
*key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && 
*hostname)?hostname:"-", "ACCESS DENIED - INVALID MACHINE GUID");
++        log_stream_connection(w->client_ip, w->client_port, key, 
machine_guid, hostname, "ACCESS DENIED - INVALID MACHINE GUID");
+         error("STREAM [receive from [%s]:%s]: machine GUID '%s' is not GUID. 
Forbidding access.", w->client_ip, w->client_port, machine_guid);
+         return rrdpush_receiver_permission_denied(w);
+     }
+ 
++    const char *api_key_type = appconfig_get(&stream_config, key, "type", 
"api");
++    if(!api_key_type || !*api_key_type) api_key_type = "unknown";
++    if(strcmp(api_key_type, "api") != 0) {
++        rrdhost_system_info_free(system_info);
++        log_stream_connection(w->client_ip, w->client_port, key, 
machine_guid, hostname, "ACCESS DENIED - API KEY GIVEN IS NOT API KEY");
++        error("STREAM [receive from [%s]:%s]: API key '%s' is a %s GUID. 
Forbidding access.", w->client_ip, w->client_port, key, api_key_type);
++        return rrdpush_receiver_permission_denied(w);
++    }
++
+     if(!appconfig_get_boolean(&stream_config, key, "enabled", 0)) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && 
*key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && 
*hostname)?hostname:"-", "ACCESS DENIED - KEY NOT ENABLED");
++        log_stream_connection(w->client_ip, w->client_port, key, 
machine_guid, hostname, "ACCESS DENIED - KEY NOT ENABLED");
+         error("STREAM [receive from [%s]:%s]: API key '%s' is not allowed. 
Forbidding access.", w->client_ip, w->client_port, key);
+         return rrdpush_receiver_permission_denied(w);
+     }
+@@ -619,7 +628,7 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, 
char *url) {
+             if(!simple_pattern_matches(key_allow_from, w->client_ip)) {
+                 simple_pattern_free(key_allow_from);
+                 rrdhost_system_info_free(system_info);
+-                log_stream_connection(w->client_ip, w->client_port, (key && 
*key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && 
*hostname) ? hostname : "-", "ACCESS DENIED - KEY NOT ALLOWED FROM THIS IP");
++                log_stream_connection(w->client_ip, w->client_port, key, 
machine_guid, hostname, "ACCESS DENIED - KEY NOT ALLOWED FROM THIS IP");
+                 error("STREAM [receive from [%s]:%s]: API key '%s' is not 
permitted from this IP. Forbidding access.", w->client_ip, w->client_port, key);
+                 return rrdpush_receiver_permission_denied(w);
+             }
+@@ -627,9 +636,18 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, 
char *url) {
+         }
+     }
+ 
++    const char *machine_guid_type = appconfig_get(&stream_config, 
machine_guid, "type", "machine");
++    if(!machine_guid_type || !*machine_guid_type) machine_guid_type = 
"unknown";
++    if(strcmp(machine_guid_type, "machine") != 0) {
++        rrdhost_system_info_free(system_info);
++        log_stream_connection(w->client_ip, w->client_port, key, 
machine_guid, hostname, "ACCESS DENIED - MACHINE GUID GIVEN IS NOT A MACHINE 
GUID");
++        error("STREAM [receive from [%s]:%s]: machine GUID '%s' is a %s GUID. 
Forbidding access.", w->client_ip, w->client_port, machine_guid, 
machine_guid_type);
++        return rrdpush_receiver_permission_denied(w);
++    }
++
+     if(!appconfig_get_boolean(&stream_config, machine_guid, "enabled", 1)) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && 
*key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && 
*hostname)?hostname:"-", "ACCESS DENIED - MACHINE GUID NOT ENABLED");
++        log_stream_connection(w->client_ip, w->client_port, key, 
machine_guid, hostname, "ACCESS DENIED - MACHINE GUID NOT ENABLED");
+         error("STREAM [receive from [%s]:%s]: machine GUID '%s' is not 
allowed. Forbidding access.", w->client_ip, w->client_port, machine_guid);
+         return rrdpush_receiver_permission_denied(w);
+     }
+@@ -640,7 +658,7 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, 
char *url) {
+             if(!simple_pattern_matches(machine_allow_from, w->client_ip)) {
+                 simple_pattern_free(machine_allow_from);
+                 rrdhost_system_info_free(system_info);
+-                log_stream_connection(w->client_ip, w->client_port, (key && 
*key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && 
*hostname) ? hostname : "-", "ACCESS DENIED - MACHINE GUID NOT ALLOWED FROM 
THIS IP");
++                log_stream_connection(w->client_ip, w->client_port, key, 
machine_guid, hostname, "ACCESS DENIED - MACHINE GUID NOT ALLOWED FROM THIS 
IP");
+                 error("STREAM [receive from [%s]:%s]: Machine GUID '%s' is 
not permitted from this IP. Forbidding access.", w->client_ip, w->client_port, 
machine_guid);
+                 return rrdpush_receiver_permission_denied(w);
+             }
+diff --git a/streaming/stream.conf b/streaming/stream.conf
+index e65e76f..7229ade 100644
+--- a/streaming/stream.conf
++++ b/streaming/stream.conf
+@@ -115,6 +115,11 @@
+ [API_KEY]
+     # Default settings for this API key
+ 
++    # This GUID is to be used as an API key from remote agents connecting
++    # to this machine. Failure to match such a key, denies access.
++    # YOU MUST SET THIS FIELD ON ALL API KEYS.
++    type = api
++
+     # You can disable the API key, by setting this to: no
+     # The default (for unknown API keys) is: no
+     enabled = no
+@@ -184,6 +189,11 @@
+ # you can give settings for each sending host here.
+ 
+ [MACHINE_GUID]
++    # This GUID is to be used as a MACHINE GUID from remote agents connecting
++    # to this machine, not an API key.
++    # YOU MUST SET THIS FIELD ON ALL MACHINE GUIDs.
++    type = machine
++
+     # enable this host: yes | no
+     # When disabled, the parent will not receive metrics for this host.
+     # THIS IS NOT A SECURITY MECHANISM - AN ATTACKER CAN SET ANY OTHER GUID.
diff --git a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb 
b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
index 516fde6281..4d57b84b07 100644
--- a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
+++ b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=fc9b848046ef54b5eaee6071947abd24"
 
 DEPENDS += "libuv util-linux zlib"
 
-SRC_URI = 
"https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BPN}-v${PV}.tar.gz";
+SRC_URI = 
"https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BPN}-v${PV}.tar.gz 
\
+           file://CVE-2023-22497.patch \
+           "
 SRC_URI[sha256sum] = 
"8ea0786df0e952209c14efeb02e25339a0769aa3edc029e12816b8ead24a82d7"
 
 # default netdata.conf for netdata configuration

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124847): 
https://lists.openembedded.org/g/openembedded-devel/message/124847
Mute This Topic: https://lists.openembedded.org/mt/118130548/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to